Meraki

Community

vMX and firewalling in Azure

Solved
Henrik_DK
Conversationalist
‎May 15 2024 5:40 AM
‎May 15 2024 5:40 AM

vMX and firewalling in Azure

As far as I understand we will NOT be able to use our vMX as a firewall between Azure and the Internet - its only good for VPN - can you confirm? 🙂

Labels:
0 Kudos
1 Accepted Solution
In response to Henrik_DK
MartinLL
Building a reputation
‎May 15 2024 9:19 AM
‎May 15 2024 9:19 AM

No you can not. Traffic will be routed to the subnet gateway and forwarded according to azure routing. The vMX can do NAT, but only for its private interface ip, not public.

My recomendation, brake internett access out localy. If that is not possible look into adding Umbrella SIG or Secure Connect Plus.

MLL

View solution in original post

8 Replies 8
alemabrahao
Kind of a big deal
‎May 15 2024 5:52 AM
‎May 15 2024 5:52 AM

In fact, it has Firewall functionalities because it is a firewall. However, you won't have the full functionality of a physical device due to licensing limitations.

What exactly do you need? The idea of vMX is to be more like a hub to make it easier to access your resources within Azure or AWS, but it would be nice if you gave an overview of what you need.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Henrik_DK
Conversationalist
‎May 15 2024 5:56 AM
‎May 15 2024 5:56 AM

Thanks - we were recommended a vMX-setup that should offer the same firewall-capabilities as the MX - configurable in- and out-going firewalling, which it does not do if I am not mistaken? 🙂

0 Kudos
In response to Henrik_DK
alemabrahao
Kind of a big deal
‎May 15 2024 6:01 AM
‎May 15 2024 6:01 AM

Again, what is the purpose of vMX? I see it more as a transit gateway to access your resources within Azure, AWS, etc.

Do you want to expose your applications to the internet and use vMX to do some type of filtering? Or is it to limit what your machines within Azure can access?

It can handle like a firewall, but it would be good to understand its purpose first.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Henrik_DK
Conversationalist
‎May 15 2024 6:04 AM
‎May 15 2024 6:04 AM

My goal was to clarify wether or not it could do the same firewalling as a MX or not - which I think it cannot? 🙂

0 Kudos
In response to Henrik_DK
alemabrahao
Kind of a big deal
‎May 15 2024 6:10 AM
‎May 15 2024 6:10 AM

Not 100%, some features are not supported.

 

vMX Comparison Datasheet - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Henrik_DK
Conversationalist
‎May 15 2024 6:30 AM
‎May 15 2024 6:30 AM

As far as our test shows we cannot get traffic through the vMX directly to the internet - is it something you have experience with?

0 Kudos
In response to Henrik_DK
MartinLL
Building a reputation
‎May 15 2024 9:19 AM
‎May 15 2024 9:19 AM

No you can not. Traffic will be routed to the subnet gateway and forwarded according to azure routing. The vMX can do NAT, but only for its private interface ip, not public.

My recomendation, brake internett access out localy. If that is not possible look into adding Umbrella SIG or Secure Connect Plus.

MLL
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 15 2024 12:28 PM
‎May 15 2024 12:28 PM

Correct.  You won't be able to use your VMX like a traditional firewall in Azure.  Use network security groups for that.

 

Check out this document and jump down tot he "Unsupported Features" section.
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Comparison_Datasheet 

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.